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Abstract. We have previously introduced role logic as a notation for 
describing properties of relational structures in shape analysis, databases 
and knowledge bases. A natural fragment of role logic corresponds to 
two-variable logic with counting and is therefore decidable. 
We show how to use role logic to describe open and closed records, as 
well the dual of records, inverse records. We observe that the spatial 
conjunction operation of separation logic naturally models record con- 
catenation. Moreover, we show how to eliminate the spatial conjunction 
of formulas of quantifier depth one in first-order logic with counting. As 
a result, allowing spatial conjunction of formulas of quantifier depth one 
preserves the decidability of two- variable logic with counting. This result 
applies to two-variable role logic fragment as well. 

The resulting logic smoothly integrates type system and predicate cal- 
culus notation and can be viewed as a natural generalization of the no- 
tation for constraints arising in role analysis and similar shape analysis 
approaches. 
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1 Introduction 



In [36] we have introduced role logic, a notation for describing properties of 
relational structures in shape analysis, databases and knowledge bases. Role 
logic notation aims to combine the simplicity of role declarations [33] and the 
well-established first-order logic. Role logic is closed under all boolean operations 
and generalizes boolean shape analysis constraints [37] . Role logic formulas easily 
translate into the traditional first-order logic notation. Despite this generality, 
role logic enables the concise expression of common properties of data structures 
in imperative programs that manipulate complex data structures with mutable 
references. In [36, Section 4] we have established the decidability of the fragment 
RL 2 of role logic by exhibiting a correspondence with two-variable logic with 
counting C 2 [22,45]. 

Generalized records in role logic. In this paper we give a systematic 
account of field and slot declarations of role analysis [33] by introducing a set of 
role logic shorthands that allows concise description of records. Our basic idea 
is to generalize types to unary predicates on objects. Some of the aspects of our 
notion of records that indicate its generality are: 

1. We allow building new records by taking the conjunction, disjunction, or 
negation of records. 

2. In our notation, a record indicates a property of an object at a particular 
program point; objects can satisfy different record specifications at differ- 
ent program points. As a result, our records can express typestate changes 
such as object initialization [16-18,55,56] and more general changes in rela- 
tionships between objects such as movements of objects between data struc- 
tures [32,33,54]. 

3. We allow inverse records as a dual of records that specify incoming edges of 
an object in the graph of objects representing program heap. Inverse records 
allow the specification of aliasing properties of objects, generalizing unique 
pointers. Inverse records enable the convenient specification of movements 
of objects that participate in multiple data structures. 

4. We allow the specification of both open and closed records. Closed records 
specify a complete set of outgoing and incoming edges of an object. Open 
records leave certain edges unspecified, which allows orthogonal data struc- 
tures to be specified independently and then combined using logical conjunc- 
tion. 

5. We allow the concatenation of generalized records using a form of spatial 
conjunction of separation logic, while remaining within the decidable frag- 
ment of two-variable role logic. 

Separation logic. Separation logic [28,43,51,52] is a promising approach for 
specifying properties of programs in the presence of mutable data structures. One 
of the main uses of separation logic in previous approaches is dealing with frame 
conditions [5,28]. In contrast, our paper identifies another use of spatial logic: 
expressing record concatenation. Although our approach is based on essentially 
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same logical operation of spatial conjunction, our use of spatial conjunction for 
records is more local, because it applies to the descriptions of the neighborhood 
of an object. 

To remain within the decidable fragment of role logic, we give in Section 7 
a construction that eliminates spatial conjunction when it connects formulas of 
quantifier depth one. This construction also illustrates that spatial conjunction 
is useful for reasoning about counting stars [22] of the two-variable logic with 
counting C 2 . To our knowledge, this is the first result that combines two- variable 
logic with counting and a form of spatial conjunction. 

Using the resulting logic. We can use specifications written in our notation to 
describe properties and relations between objects in programs with dynamically 
allocated data structures. These specifications can act as assertions, precondi- 
tions, postconditions, loop invariants or data structure invariants [33,36,39]. 
By selecting a finite- height lattice of properties for a given program fragment, 
abstract interpretation [15] can be used to synthesize properties of objects at in- 
termediate program points [2,3,24,33,49,50,54,58,59]. Decidability and closure 
properties of our notation are essential for the completeness and predictability 
of the resulting static analysis [38]. 

Contributions. We summarize the main contributions of this paper as follows: 

1 . We present a logic which generalizes the concept of records in several direc- 
tions (Section 5). These generalizations are useful for expressing properties 
of objects and memory cells in imperative programs, and go beyond standard 
type systems. 

2. We identify a novel use of separation logic: modelling the concatenation of 
generalized records. 

3. We show how to translate role constraints from role analysis [33] to role logic 
(Section 6). 

4. We show that, under certain syntactic restrictions, we can translate spatial 
conjunction into other constructs of the decidable logic RL 2 (Section 7). 
We therefore obtain a notation that extends RL 2 with a convenient way of 
describing record concatenation, and remains decidable. 

5. We present a translation of first-order logic with spatial conjunction and 
inductive definitions into second-order logic (Section 8.2). 

Outline. Section 2 reviews the syntax and semantics of role logic. Section 3 
defines spatial conjunction in role logic and motivates its use for describing record 
concatenation. Section 4 and Section 5 show how to use spatial conjunction in 
role logic to describe a generalization of records. Section 6 demonstrates that our 
notation is a generalization of the local constraints arising in role analysis [33] 
by giving a natural embedding of role constraints into our notation. Section 7 
shows how to eliminate the spatial conjunction connective © from a spatial 
conjunction Fi © F 2 of two formulas F\ and F 2 when F\ and F 2 have no nested 
counting quantifiers; this is the core technical result of this paper. A consequence 
of this is result is that we may allow certain uses of spatial conjunction in RL 2 
fragment of role logic while preserving the decidability property of RL 2 . Our 
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extension of role logic with spatial conjunction is therefore justified: it allows 
record-like specifications to be expressed in a more natural way, and it does not 
lead outside the decidable fragment. Section 8 contains remarks on preserving the 
satisfiability of formulas in the presence of spatial conjunction and shows how to 
encode the spatial conjunction (with inductive definitions) in second-order logic. 
Section 9 presents related work, and Section 10 concludes. Appendix contains 
the details of the correctness proof for the elimination of spatial conjunction 
from Section 7. 

2 A Decidable Two- Variable Role Logic RL 2 
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Fig. 1. The Syntax and the Semantics of RL 2 



Figure 1 presents the two- variable role logic RL 2 [36]. We have proved in [36] 
that RL 2 has the same expressive power as two- variable logic with counting 
C 2 . The logic C 2 is a first-order logic 1) extended with counting quantifiers 
3- k x.F(x), saying that there are at least k elements x satisfying formula F{x) 
for some constant k, and 2) restricted to allow only two variable names x, y in 
formulas. An example formula in two- variable logic with counting is 

Vx.A{x) => (Vy.f(x,y) => 3 =1 x.g(x,y)) (1) 

The formula (1) means that all nodes that satisfy A{x) point along the field / 
to nodes that have exactly one incoming g edge. Note that the variables x and y 
may be reused via quantifier nesting, and that formulas of the form 3 =k x. F(x) 
and 3- k x. F(x) are expressible as boolean combination of formulas of the form 
3- k x. F(x). The logic C 2 was shown decidable in [22] and the complexity for 
the Cf fragment of C 2 (with counting up to one) was established in [45] . We can 
view role logic as a variable-free version of C 2 . Variable- free logical notations are 
attractive as generalizations of type systems because traditional type systems 
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are often variable-free. The formula (1) can be written in role logic as [A => 
[f => card- 1 ^]] where the construct [F] is a shorthand for -icard- 1 -^ and 
corresponds to the universal quantifier. The expression ~g denotes the inverse 
of relation g. This paper focuses on the use of role logic to describe generalized 
records, see [36] for further examples of using role logic and [6] for advantages 
of variable-free notation in general. 

3 Spatial Conjunction 
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Fig. 2. Semantics and Properties of Spatial Conjunction ©. 

Figure 2 shows our semantics of spatial conjunction ©. To motivate our use of 
spatial conjunction, we first illustrate how role logic supports the description of 
simple properties of objects in a concise way. Indeed, one of the design goals of 
role logic is to have a logic-based specification language where simple properties 
of objects are as convenient to write as type declarations in a language like Java. 

Example 1. The formula [/ A] is true for an object whose every /-fields points 
to an A object, [g => B] means that every (7-field points to a B object, so 

[/ A] A [g => B] 

denotes the objects that has both / pointing to an A object and g pointing to a 
B object. Such specification is as concise as the following Java class declaration 

class C { A f; B g; > 
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Example 1 illustrates how the presence of conjunction A in role logic enables 
combination of orthogonal properties such as constraints on distinct fields. How- 
ever, not all properties naturally compose using conjunction. 

Example 2. Consider a program that contains three fields, modelled as binary 
relations /, g, h. The formula Pf = (card =1 /) A (card =0 (g V h)) means that 
the object has only one outgoing /-edge and no other edges. The formula P g = 
(card _1 g) A (card _0 (/ V h)) means that the object has only one outgoing g-edge 
and no other edges. If we "physically join" two records, each of which has one 
field, we obtain a record that has two fields, and is described by the formula 

P fg = (card =1 /) A (card =1 5 ) A (card=°/i) 

Note that it is not the case that Pf g <~ Pf A P g . More generally, no boolean 
combination of Pf and P g yields Pf g . 

Example 2 prompts the question: is there an operation that allows joining spec- 
ifications that will allow us to combine Pf and P g into Pf g l Moreover, can we 
define such an operation on records viewed as arbitrary formulas in role logic? 

It turns out that there is a natural way to describe the set of models of formula 
Pfg in Example 2 as the result of "physically merging" the edges (relations) of 
the models of Pf and models of P g . The merging of disjoint models of formulas is 
the idea behind the definition of spatial conjunction © in Figure 2. The predicate 
(split e [ei e2\) is true iff the relations of the model (environment) e can be split 
into ei and and the notation generalizes to splitting into any number of 
environments. 

Exam-pie 3. For Pf, P 9l and Pf g of Example 2, we have Pf g = Pf ®P g . 

Note that the operation © is associative and commutative. The formula emp, 
which asserts that all predicates are false, is the unit for ©. Moreover, © dis- 
tributes over V. 

A note on relationship with [28]. The semantics of spatial conjunction in 
Figure 2 match the semantics of [28], with two differences. 

A small technical difference is that Figure 2 splits the edges of the model 
(the tuples of the relations), whereas [28] splits the domain. The difference arises 
because the elements of the domain in [28] are locations, whereas the elements 
of our models are objects. To represent a location in our view, we would use a 
tuple (o, /) where o is an element of the domain and / is a field name. 

A higher-level difference is that the use of spatial logic we propose in this 
paper is the notation for records (Section 5), as opposed to the description of 
global heap properties. When used for formulas of quantifier depth one (Sec- 
tion 7), spatial conjunction does not even change the set of definable relations 
of two-variable logic with counting. 

4 Field Complement 

As a step towards record calculus in role logic, this section introduces the notion 
of a field complement, which makes it easier to describe records in role logic. 
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Example 4- Consider the formula Pf = (card =1 /)A(card =0 (gV/i)) from Exam- 
ple 2, stating the property that an object has only one outgoing /-edge and no 
other edges. Property Pf has little to do with g or h, yet g and h explicitly occur 
in Pf. Moreover, we need to know the entire set of relations in the language to 
write Pf, if the language contains an additional field i, the property Pf would 
become Pf = (card =1 ,f ) A (card =0 (g V h V i)). Note also that -1/ is not the same 
as g V h V i, because ->/ computes the complement of the value of the relation / 
with respect to the universal set, whereas g V h V i is the union of all relations 
other than /. 

To address the notational problem illustrated in Example 4, we introduce the 
symbol edges, which denotes the union of all binary relations, and the notation 
— / (field complement of /), which denotes the union of all relations other than 
/• 

edges = \j g -f = \J g 

9 g^f 

This additional notation allows us to avoid explicitly listing all fields in the 
language when stating properties like Pf. 

Example 5. Formula Pf from Example 4 can be written as Pf = (card -1 /) A 
(card -0 —/), which mentions only /. Even when the language is extended with 
additional relations, Pf still denotes the intended property. Similarly, to denote 
the property of an object that has outgoing fields given by Pf and has no in- 
coming fields, we use the predicate Pf A card =0 ^edges. 

We use the notation edges and — / to build the notation for records and inverse 
records in Section 5 below. 

A note on ternary relation interpretation. It is possible to provide a 
notation for relations that generalizes the notation edges and — /. The idea of 
this generalization is to change the definition of the model (environment). Instead 
of a model that specifies a binary relation for each field, the model specifies the 
value of one ternary relation H and a unary tag-predicate for each field name. 
For example, instead of the model that provides interpretations // and gj for two 
binary relations / and g, we could use the model that provides interpretation of 
{Hj, where 

lHjo 1 o 2 n = (n=/ A /7O1 o 2 ) V 
(n=9o A//01 o 2 ) 

and the interpretation of unary tag-predicates / and g. Here / is an element 
of the domain that tags tuples coming from [/] , whereas go tags tuples coming 
from \gj. We interpret / as a predicate that is true only on the clement / , and 
similarly g as a predicate true only on the element go. We then introduce the 
following dereferencing shorthand: 

|.F = {H A F} (2) 

The expression If now denotes the original interpretation of /, that is, [|/J = //. 
Moreover, t -1 / corresponds to field complement — /, and tTrue corresponds to 
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edges. Note that the expressions of the form 1(-if A-*g) are now also avail- 
able. Let B be a boolean combination of unary predicates denoting fields. These 
unary predicates are disjoint, so transforming B into disjunctive normal form 
and applying the property 



which follows from (2), allows transforming ]B into a boolean combination of 
expressions of the form j/ and ]g. This means that we obtain no additional 
expressive power using expressions of the form ]B where B is a boolean combi- 
nation of unary predicates denoting fields, so for simplicity we do not consider 
such "ternary relation interpretation" further in this paper. 

5 Records and Inverse Records 

In this section we use role logic with spatial conjunction and field complement 
from Section 4 to introduce a notation for records. We also introduce inverse 
records, which are dual to records, and correspond to slot constraints in role 
analysis [33]. 



T(Bi VB 2 ) = tBiVtB 2 
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Fig. 3. Record Notation 
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Figure 3 presents the notation for records and inverse records. A field predi- 
cate / — ► A is true for an object whose only outgoing edge in the graph (model) is 
an /-edge terminating at A. Dually, a slot predicate A / is true for an object 
whose only incoming edge in the graph is an /-edge originating at A. A multifield 
predicate / — ► A is true iff the object has any number of outgoing /-edges termi- 
nating at A, and no other edges. Dually, a multislot predicate A<— f is true iff 
the object has any number of incoming /-edges originating from A, and no other 
edges. We also allow notation / — > A where s is an expression of the form =k, 
<k, or >k. This notation gives a bound on the number of outgoing edges, and 
implies that there are no other outgoing edges. We similarly introduce A 4- /. A 
closed record is a spatial conjunction of fields and multifields. An open record is 
a spatial conjunction of a closed record with True. While a closed record allows 
only the listed fields, an open record allows any number of additional fields. In- 
verse records are dual to records, and we similarly distinguish open and closed 
inverse records. 

Example 6. To describe a closed record whose only fields are / and g where 
/-fields point to objects in the set A and g-fields point to objects in the set 
B, we use the predicate Pi = f — > A ® g — > B . The definition of P\ lists all 
fields of the object. To specify an open record which certainly has fields / and g 
but may or may not have other fields, we write P2 = f—fA®g^B® True. 
Neither Pi nor P2 restrict incoming references of an object. To specify that 
the only incoming references of an object are from the field h, we conjoin Pi 
with the closed inverse record consisting of a single multislot True <— h, yielding 
the predicate P 3 = P 2 A True <— h. To specify that an object has exactly 
one incoming reference, and that the incoming reference is from the h field and 
originates from an object belonging to the set C, we use P4 = P2 A C <— h. 
Note that specifications P3 and P4 go beyond most standard type systems in 
their ability to specify the incoming (in addition to the outgoing) references of 
objects. 

6 Role Constraints 

Role constraints were introduced in [30,31,33]. In this section we show that role 
logic is a natural generalization of role constraints by giving a translation from 
role constraints to role logic. A logical view of role constraints is also suggested 
in [35,35]. A role is a set of objects that satisfy a conjunction of the following 
four kinds of constraints: field constraints, slot constraints, identities, acyclicities. 
In this paper we show that role logic naturally models field constraints, slot 
constraints, and identities. 1 

Roles describing complete sets of fields and slots. Figure 4 shows the 
translation of role constraints [33, Section 3] into role logic formulas. The sim- 
plicity of the translation is a consequence of the notation for records that we 
have developed in this paper. 

1 Acyclicities go beyond first-order logic because they involve non-local transitive closure 
properties. 
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C[f ields F; slots S; identities 7; acyclic A] = C[f ields F\ A C[slots S] A 

[identities 7] A [acyclic Aj 

C[fields /i : Si,...,f„ : S„j = /i -» Si © ... © /„ S„ 

CJslGtS Sl.fl,...,S n .f n \=Sn-fl © ... © Sn^/n 

[identities /i.gi, . . . ,/„.g„] = /\" =1 [fi => ~S«] 

[acyclic /i,...,/„] = acyclic (V" =1 /») 

Fig. 4. Translation of Role Constraints [33] into Role Logic Formulas 



©[fields F; slots S; identities 7; acyclic /I] = ©[fields F] A ©[slots S] A 

[identities 7] A [acyclic A] 
©[fields f 1 :S u ...,f n :S n ]= C[f ields h : S u ...,/„: 5„] © card= (V^ 1 /i) 
©[pi,..., 5m slots Si. /i,..., S„. /„] =C [slots Si./i,...,S' n ./ n ]©card =0 (Vfc 1 ~5<) 

Fig. 5. Translation of Simultaneous Role Constraints [33, Section 7.2] into Role Logic 
Formulas. See also Figure 4. 



Simultaneous Roles. In object-oriented programs, objects may participate 
in multiple data structures. The idea of simultaneous roles [33, Section 7.2] is 
to associate one role for the participation of an object in one data structure. 
When the object participates in multiple data structures, the object plays mul- 
tiple roles. Role logic naturally models simultaneous roles: each role is a unary 
predicate, and if an object satisfies multiple roles, the the object satisfies the 
conjunction of predicates. Figure 5 presents the translation of field and slot con- 
straints of simultaneous roles into role logic. Whereas the roles of [33, Section 
3] translate to closed records and closed inverse records, the simultaneous roles 
of [33, Section 7.2] translate specifications that are closer to open records and 
open inverse records. 



7 Eliminating Spatial Conjunction in RL 2 

Preserving the decidability. Previous sections have demonstrated the use- 
fulness of adding record concatenation in the form of spatial conjunction to our 
notation for generalized records. However, a key question remains: is the result- 
ing extended notation decidable? In this section we give an affirmative answer 
to this question by showing how to compute the spatial conjunction using the 
remaining logical operations for a large class of record specifications. 
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Approach. Consider two formulas F\ and F 2 in first-order logic with counting, 
where both Fi and F 2 have quantifier depth one. An equivalent way of stating 
the condition on Fi and F 2 is that there are no nested occurrences of quantifiers. 
(Note that we count one application of 3- k x. P as one quantifier, regardless of 
the value k.) We show that, under these conditions, the spatial conjunction 
Fx © F 2 can be written as an equivalent formula F 3 where F 3 does not contain 
the spatial conjunction operation ©. The proof proceeds by writing formulas Fi, 
F 2 in a normal form, as a disjunction of counting stars [22], and showing that the 
spatial conjunction of counting stars is equivalent to a disjunction of counting 
stars. 

As a consequence of the results in this section, adding the operation © to 
logic with counting does not change its expressive power provided that both F\ 
and F 2 have quantifier depth at most one. Here we allow F\ and F 2 themselves 
to contain spatial conjunction, because we may eliminate spatial conjunction in 
F\ and F 2 recursively. Applying these results to two- variable logic with counting 
C 2 , we conclude that introducing into C 2 the spatial conjunction of formulas 
of quantifier depth one preserves the decidability of C 2 . Furthermore, thanks to 
the translations between C 2 and RL 2 in [36], if we allow the spatial conjunction 
of RL 2 formulas with no nested card occurrences, we preserve the decidability of 
the logic RL 2 . The formulas of the resulting logic are given by 

F ::= A | / | EQ | Fi A F 2 | ->F \ F' | ~F | card- fc F 

Fi © Fi, if F\ and F% have no nested card occurrences 

Note that record specifications in Figure 3 contain no nested card occurrences, 
so joining them using © yields formulas in the decidable fragment. Hence, in 
addition to quantifiers and boolean operations, the resulting logic supports a 
generalization of record concatenation, and is still decidable; this decidability 
property is what we show in the sequel. We present the sketch of the proof, see 
Appendix for proof details.. 

7.1 Atomic Type Formulas 

In this section we introduce classes of formulas that correspond to the model- 
theoretic notion of atomic type [44, Page 20] (see [25, Page 42] and [12, Page 78] 
for the notion of type in general). We then introduce formulas that describe the 
notion of counting stars [22,45]. We conclude this section with Proposition 12, 
which gives the normal form for formulas of quantifier depth one. 

If C = Ci, . . . , C m is a finite set of formulas, then a cube over C is a conjunc- 
tion of the form C" 1 A . . . C° m where a t e {0, 1}, C 1 = C and C° = ->C. For 
simplicity, fix a finite language L = A U T with A a finite set of unary predicate 
symbols and T a finite set of binary predicate symbols. We work in predicate cal- 
culus with equality, and assume that the equality "=" , where = ^ T, is present 
as a binary relation symbol, unless explicitly stated otherwise. We use D to 
denote a finite domain of interpretation and e to denote a model with variable 
assignment; e maps A to 2 D , maps T to 2 DxD and maps variables to elements 
of D. Let xi, . . . , x n be a finite list of distinct variables. Let C be the set of all 
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atomic formulas F such that FV(F) C {x\, . . . , x n }. The set C is finite (in our 
case it has |*4|n+ + l)n 2 elements). We call a cube over C a complete atomic 
type (CAT) formula. 

Example 7. If A = {A} and T = {/ }, then 

A ->A(x2) A 

-i/(xi,a;i) A ->f(x 2 ,X2) A /(xi,a;2) A -*f(x2,xi) A 

Il=llAl2=l2All/l2Al2 / Xl 

is a CAT formula. 

We may treat conjunction of literals as the set of literals, so we say that "a literal 
belongs to the conjunction" and apply set-theoretic operations on conjunctions 
of literals. 

From the disjunctive normal form theorem for propositional logic, we obtain 
the following Proposition 8. 

Proposition 8. Every quantifier-free formula F such that FV(F) C 
{xi, . . . , x„} is equivalent to a disjunction of CAT formulas C such that FV(C) = 

{xi, ■ ■ ■ , X n ^ . 

A CAT formula may be contradictory if, for example, it contains the literal 
Xi ^ Xi as a conjunct. We next define classes of CAT formulas that are satisfiable 
in the presence of equality. Let x\,...,x n be distinct variables. A general-case 
CAT (GCCAT) formula is a CAT formula F such that the following two condi- 
tions hold: 1) FV(F) = {x\, . . . , x n }; 2) for all 1 < i, j < n, the conjunct Xi — Xj 
is in F iff i = j. Let x\, . . . , x n and y\, . . . , y m be distinct variables. An equality 
CAT (EQCAT) formula is a formula of the form Aj=i Vj — x ij A ^ where 
1 < i\, . . . , i m < n and F is a GCCAT formula such that F\/(F) = {x\, . . . , x n }. 

Lemma 9. Every CAT formula F is either contradictory, or is equivalent to an 
EQCAT formula F' such that FV(F') = FV(F). 

From Proposition 8 and Lemma 9, we obtain the following Proposition 10. 

Proposition 10. Every quantifier-free formula F such that FV(F) C 
{xi, . . . ,x n } can be written as a disjunction of EQCAT formulas C such that 
FV(C) = {x u ...,x n }. 

We next introduce the notion of an extension of a GCCAT formula. Let 
x, Xi, . . . , x n be distinct variables and F be a GCCAT formula such that 
F\/{F) = {x\, . . . ,x n }. We say that F' is an x-extension of F, and write 
F' e exts(F,x) iff all of the following conditions hold: 1) F A F 1 is a GCCAT 
formula; 2) FV(F A F') = {x, x\, . . . , x„}; 3) F and F' have no common atomic 
formulas. Note that if F\/(F 1 ) = FV(F 2 ), then exts(Fi,x) = exts(F 2 ,x) i.e. the 
set of extensions of a GCCAT formula depends only on the free variables of the 
formula; we introduce additional notation exts(xi, . . . , x„, x) to denote exts(F, x) 
for FV(F) = {x u ...,x n }. 
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To define a normal form for formulas of quantifier depth one, we introduce 
the notion of fc-counting star. If p > 2 is a non-negative integer, let p + be 
a new symbol which represents the co-finite set of integers {p,p + 1, . . .}. Let 
C p = {0, 1, . . . ,p—l,p + }. If c G C p , by 3 l x. P we mean 3 =t x. P if i is an integer, 
and 3- p x. P if i = p + . We say that a formula F has a counting degree of at most 
p iff the only counting quantifiers in F are of the form 3 c x. G for some c € C p+ \. 

Definition 11 (Counting Star Formula). Let x, x\, . . . , x n , and yi, ■ ■ ■ ,y m 

be distinct variables, k > 1 a positive integer, and F a GCCAT formula such 
that FV(_F) = {xi, . . . , x n }. A fc-counting star function for F is a function 7 : 
exts(F, x) — ► Cfe+i . A fc-counting-star formula for 7 is a formula of the form 

m 

f\ Vj = x i} A F A f\ 3-< {F '^x. F' 

j = l F'eexts(F,x) 

where 1 < i\, . . . , i m < n. 

Note that in Definition 11, formula AJLi Vj — x ij is arL EQCAT formula, and 
formula Aj=i Vj — x 'h ^ F A F' is an EQCAT formula for each F' e exts(F, x). 

The following Proposition 12 shows that formulas of quantifier depth at most 
one are equivalent to disjunctions of counting stars. 

Proposition 12 (Depth-One Normal Form). Let F be a formula of such 
that F has quantifier depth at most one, F has counting degree at most k, and 
FV(F) C {xi, . . . , x n }. Then F is equivalent to a disjunction of k- counting- star 
formulas Fc where FV(Fc) = {x\, . . . ,x n }. 

7.2 Spatial Conjunction of Stars 

Sketch of the construction. Let F\ and F 2 be two formulas of quantifier depth 
at most one, and not containing the logical operation ©. By Proposition 12, let 
F\ be equivalent to the disjunction of counting star formulas V™=i Ci.i an d ^ 
F2 be equivalent to the disjunction of counting star formulas Vj=i^2,j- By 
distributivity of law of © with respect to V, we have 

ni n 2 ni n 2 

Fi©F 2 ~ (\J Ci,i)®(\/ C 2 ,j) ~ V V C l , i ®C 2 , j 

i=l j=l i=lj=l 

In the sequel we show that a spatial conjunction of counting-star formulas is 
cither contradictory or is equivalent to a disjunction of counting star formulas. 
This suffices to eliminate spatial conjunction of formulas of quantifier depth at 
most one. Moreover, if F is any formula of quantifier depth at most one, possibly 
containing ©, by repeated elimination of the innermost © we obtain a formula 
without ©. 

To compute the spatial conjunction of counting stars we establish an alter- 
native syntactic form for counting star formulas. The idea of this alternative 
form is roughly to replace a counting quantifier such as 3 =k x. F' with a spatial 
conjunction of fc formulas each of which has the meaning similar to 3 =1 x. F' , and 



13 



then combine a formula 3 =1 x. F[ resulting from one counting star with a formula 
3 =1 x. F' 2 resulting from another counting star into the formula 3 =1 x. (F[ F 2 ) 
where denotes merging of GCCAT formulas by taking the union of their pos- 
itive literals. We next develop this idea in greater detail. 

Notation for spatial representation of stars. Let Ge{x\, . . . , x n ) be the 

unique GCCAT formula F with FV(F) = {xi, . . . , x n } such that the only positive 
literals in F are literals Xi — Xi for 1 < i < n. Similarly there is a unique formula 
F' G exts(xi, . . . , x n , x) such that every atomic formula in F' distinct from for 
x = x occurs in a negated literal. We call F' an empty extension and denote it 
empEx(xi, . . . , x n , x). 

To compute a spatial conjunction of formulas C\ and C 2 in the language L, 
we temporarily consider formulas in an extended language L' = L U {Bi,B 2 } 
where B\ and B 2 are two new unary predicates used to mark formulas. We use 
B\ to mark formulas derived from C\ , and use B 2 to mark formulas derived from 
C 2 . For m G {0, {1}, {2}, {1, 2}}, define 

Mark (;r) = -iBi(a;) A ->B 2 (x) Markka,-) = B^x) A -*B 2 (x) 
Mark 2 (;r) = -nBi(x) A B 2 (x) Marki, 2 (:r) = B^x) A B 2 (x) 

Note that, when we say that F is a GCCAT formula, we mean that F is GCCAT 
formula in language L (and thus F mentions symbols only from L), even when 
we use F as a subformula of a larger formula in language L' . Similarly, expres- 
sions exts(xi, . . . , x n , x), empEx(F, x), and Ge{x\, . . . , x n ) all denote formulas in 
language L. 

On the other hand, empEx${F, x) and empe are formulas in language L'. 
Formula empEx0(F, x) is an empty extension of F in language L'. Formula empe 
asserts that x\, . . . , x n have an empty GCCAT formula and that the remaining 
elements have empty extension in L' . Formula empe does not constrain the values 
Bi(xi) and B 2 (xi), these values turn out to be irrelevant. 
Let F' G exts(xi , . . . , x n , x) . Define 

empEx0(a:i, . . . , x„, x) = empEx(a;i, . . . , x n , x) A Marka(x) 

empe(xi, . . . , x n ) = G E {xi,. . . ,x n ) A Vx. (A™=i x x i) empEx (xi, ... ,x n ,x) 

We write empEx (i ;l , x) for empEx (xi, . . . , x n ,x) if FV(F) = {xi, . . . ,x n }, and 
similarly for empe(F, x). We write simply empe if F and x are understood. 

We next introduce formulas d-F'Dm and (\F'\) m , which are the building blocks 
for representing counting star formulas. Formula di 7 "^ means that F' marked 
with m and empEx (i ;l , x) are the only extensions of F that hold in the neigh- 
borhood of X\,...,x n (F' may hold for any number of neighbors). Formula 
d.F'D m means that F' holds for exactly one element in the neighborhood of 
xi, . . . ,x n , and all other neighbors have empty extensions. More precisely, let 
F' G exts(xi, . . . , x n , x). Define 

(|F'Dto = Ge (xi,...,x„) A Vx.(/\" =1 x^Xi) =>> (F'AMark m (a:)) V empEx (F, x) 

<\F'\) m = <\FT m A 3 =1 x. A"=i x =£xi A F'AMark m (x) 

where to G {0,{1}, {2}, {1,2}}. Observe that G® empe - G if G = <\F')* m or 
G = <\F'\> m for some F' and m. Also note that <\FT m ®<\F'\)* m - <\F'\>* m . 
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E A F - EQCAT formula 
F - GCCAT formula 

Sm{E A F A 3 sl x.F{ A ... A 3 Sk x.F{.] = 
= E A )C{F]®X m l3 sl x.Fll®...®X m {3 s ><x.F{ : ] 

K\F\ = F A ^.(A^aj^xO^empExg^a;)) 

X m [3°x.F'] = empe 

4[3 i+1 i.F'] = dF'D m ©Af m pVF'] 

X m \3 i+ x.F'\ =X m l3 i x.F']®(\FYm 
Fig. 6. Translation of Counting Stars to Spatial Notation 



Translation of counting stars. Figure 6 presents the translation of counting 
stars to spatial notation. The idea of the translation is to replace 3 =k x. F' with 
the spatial conjunction of k formulas d-F'Dm © . . . ®§F') m where m G {{1}, {2}}. 
The purpose of the marker m is to ensure that each of the k witnesses for x that 
are guaranteed to exist by (jF'|) m © . . . ®<\F'\) m are distinct. The reason that the 
witnesses are distinct for m ^ is that no two of them can satisfy Bi(x) at the 
same time for i G m. 

To show the correctness of the translation in Figure 6, define e m to be the 
L'-environment obtained by extending L-environmcnt e according to marking 
m, and eT to be the restriction of an L' environment e\ to language L. More 
precisely if e is an environment in language L, for m G {0,{1},{2},{1,2}}, 
define environment e' m in language V by 1) e m r = er for r G L and 2) for 
q G {1, 2}, let (e B q ) d = True gem A d £ {ex\, ex n }. Conversely, 

if e\ is an environment in language L' ', define environment eT in language L by 
eTr = ei r for all r G L. Lemma 13 below gives the correctness criterion for 
translation in Figure 6. 

Lemma 13. If e is an environment for language L, C a counting star formula 
in language L, and m G {{1}, {2}, {1, 2}}, then [C]e = S m \C]e m . 



(pi©T 2 Di, 2 

flTi © T 2 Di, 2 ®<\T 2 \)*2 

flTiD* ®(|Ti © T 2 |)i,2 

(piD!®(|T 2 D5®(|ri©T 2 ||i i2 



Fig. 7. Transformation Rules for Combining Spatial Conjuncts 



(1) (pil)! ©flT 2 & 2 ^ 

(2) (|TiDi ©dT 2 ^ ~» 

(3) <|Tid; ®(|t 3 d 2 ~» 

(4) flTiDI ®(|T 2 P5 ~» 

(5) dTjI - empe 

(6) flTD 2 ~> empe 
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Combining quantifier-free formulas. Let C\ © C 2 be a spatial conjunction 
of two counting-star formulas 

Ci = E A Fi A 3 a ^x.F[ tl A ... A 3 s ^"x.F[ tk 
C 2 = EAF 2 A a^x-F^ A ... A 3 a ^"x.F^i 

where F x and F 2 are GCCAT formulas with FV(Fi) = FV(F 2 ) = {xi, . . .,x n }, 
E A F t and F A F 2 are EQCAT formulas, and E = yj = x tj . 

Note that we assume that the two GCCAT formulas F\ and F 2 have same 
free variables and that the equalities E in the two EQCAT formulas are the 
same. This assumption is justified because either 1) C\ ®C 2 make inconsistent 
assumptions about equalities among xi, . . . ,x„, and therefore C\ © C 2 is equiv- 
alent to False, or 2) Ci©C 2 make same assumptions about equalities among 
xi, . . . ,x n , so we can rewrite C\ and C 2 to satisfy the our assumption by ex- 
changing variables Xj and yj in the definition of an EQCAT formula. 

To show how to transform formula <Si[Ci] ©<S 2 [C 2 ] into a disjunction of 
formulas of the form [C3], we introduce the following notation. If T is a 
formula, let S(T) denote the set of positive literals in T\ that do not contain 
equality. Let T\ € exts(Fi,x) and T 2 G exts(F 2 ,x). (Note that exts(Fi,x) = 
exts(F 2 ,x).) We define the partial operation T\ T 2 as follows. The result of 
Ti T 2 is defined iff S(T X ) n S(T 2 ) = 0. If S(Ti) n S(T 2 ) = 0, then T 1 QT 2 =T 
where T is the unique element of exts(Fi,x) such that S(T) = S(Ti) U S(T 2 ). 
Similarly to 0, we define the partial operation Fi © F 2 for F\ and F 2 GCCAT 
formulas with FV(Fi) = FV(F 2 ) = {xi, . . . , x n }. The result of Fi © F 2 is defined 
iff n S(F 2 ) = 0. If n S(F 2 ) = 0, then F 1 © F 2 is the unique GCCAT 

formula F such that FV(F) = {x u ...,x n } and S(F) = U S(F 2 ). The 

following Lemma 14 notes that and © are sound rules for computing spatial 
conjunction of certain quantifier-free formulas. 

Lemma 14. If T x , T 2 € exts(ari , . . . , x„ , x) t/ien 7\ © T 2 - Ti T 2 . // F x and 
F 2 are GCCAT formulas with FV(Fi) = FV(F 2 ) = {xi, . . . , x„} 7 i/ien Fi © F 2 ~ 
Fi ©F 2 . 

Rules for transforming spatial conjuncts. We transform formula 
<5i[Ci] ©5 2 [C 2 ] into a disjunction of formulas of the form <Si j2 [C3] as follows. 

The first step in transforming Ci©C2 is to replace /C[Fi] © /C[F 2 ] with 
/C[Fi © F 2 ] if Fi © F 2 is defined, or False if F x © F 2 is not defined. 

The second step is summarized in Figure 7, which presents rules for com- 
bining conjuncts resulting from A?ip Sl .Fi] and A2[3 S2 x.F 2 ] into conjuncts of 
the form A'i i2 [3 s x.F]. The intuition is that flTD^ and <\T\) m represent a finite 
abstraction of all possible neighborhoods of xi, . . . , x„, and the rules in Figure 7 
represent the ways in which different portions of the neighborhoods combine us- 
ing spatial conjunction. We apply the rules in Figure 7 modulo commutativity 
and associativity of ©, the fact that emp is a unit for ©, as well as the idempo- 
tence of flTD^. Rules (1) — (4) are applicable only when the occurrence of Ti ©T 2 
on the right-hand side of the rule is defined. We apply rules (1) — (4) as long as 
possible, and then apply rules (5), (6). Moreover, we only allow the sequences of 
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rule applications that eliminate all occurrences of <\T§i, §T\)*, (\T\) 2 , (\T\ji,, leaving 
only dTDi i2 and (\T\)l 2 . Note also that the are only finitely many non-equivalent 
expressions that can be obtained by sequences of applications of rules in Fig- 
ure 7. Namely, an application of rules (l)-(3) decreases the total number of 
spatial conjuncts of the form (\T\)i and <\T\) 2 , multiple applications of rule (4) to 
the same pair of spatial conjuncts are unnecessary because of the idempotence 
of (|Ti T 2 )\ 2 ( so we never perform them), and rules (5), (6) reduce the total 
number of spatial conjuncts. The following Lemma 15 gives partial correctness 
of rules in Figure 7. 

Lemma 15. If Gi ~» G 2 , then G2 => G\ is valid. 

Define G\ =^-G 2 to hold iff both of the following two conditions hold: 1) 
G 2 results from d by replacing /C[fi] © K\F 2 \ with /C[iq © F 2 j if F 1 © F 2 is 
defined, or False if Fi © F 2 is not defined, and then applying some sequence of 
rules in Figure 7 such that rules (5), (6) are applied only when rules (1) — (4) 
are not applicable; 2) G 2 contains only spatial conjuncts of the form flTDi^ and 
f\T\)l 2 . From Lemma 15 and Lemma 14 we immediately obtain Lemma 16. 

Q 

Lemma 16. If G\ =^-G 2 , then G 2 => G\ is valid. 

The rule for computing the spatial conjunction of counting star formulas is the 
following. If Ci, C 2 , and C3 are counting star formulas, define TZ(C\, C 2 , C3) to 

hold iff Si [Ci] © S 2 \C 2 \ S\, 2 [C3] . We compute spatial conjunction by replac- 
ing Ci © C 2 with \J K ( Cl C2 C \ C3. Our goal is therefore to show the equivalence 

d®C 2 ~ \/ C 3 (3) 

1Z(C 1 ,C 2 ,C 3 ) 

The validity of Vtc(Ci c 2 c 3 ) ^ 3 ^ (Ci®C 2 ) follows from Lemma 16 and 
Lemma 13. 

Lemma 17. (\J n t Cl C2 Ca \ C3) => {C\ © C 2 ) is a valid formula for every pair of 
counting star formulas C\ and C 2 . 

We next consider the converse claim. If \C\ © C 2 }e, then there are e\ and e 2 such 
that spliteeie2, [Ci]ei, and [C2]e2- By considering the atomic types induced 
in e, e\ and e 2 by elements in D \ {exi, . . . ,ex n }, we construct a sequence 
of transformations in Figure 7 that convert <Si[Ci] ©^J^] into a formula 
Si, 2 [C 3 ] such that [C 3 ]e = True. 

Lemma 18. C\ ®C 2 ^> Vtc(Ci c 2 c 3 ) ^3 * s a va ^d formula for every pair of 
counting star formulas C\ and C 2 . 

From Lemma 17 and Lemma 18 we obtain the desired Theorem 19, which 
shows the correctness of our rules for computing spatial conjunction of formulas 
of quantifier depth at most one. 

Theorem 19. The equivalence (3) holds for every pair of counting star formulas 
C\ and C 2 . 
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8 Further Remarks 



In this section we present two additional remarks regarding spatial conjunction. 
The first remark notes that we must be careful when extracting a subformula 
from a formula and labelling it with a new predicate. The second remark shows 
how to encode spatial conjunction in second-order logic, thus providing some 
insight into the expressive power of spatial conjunction. 

8.1 Extracting Subformulas in the Presence of © 

In two- variable logic with counting C 2 we may efficiently transform formula into 
an unnested form by introducing new predicate names and naming subformulas 
using these predicates. This transformations is a standard step in decidability 
proofs for two- variable logic with counting [22,45]. 

The satisfiability of the resulting formula is equivalent to the satisfiability of 
the original formula. An extraction of a subformula G and its replacement with 
a new predicate P can be justified by a substitution lemma of the form: 

[F[P:=G]]e=[F](e[P:= \G\e\) 

where e is the environment (model). This substitution lemma does not hold in 
the presence of spatial conjunction that splits the values of newly introduced 
predicates. Namely, 

l(F 1 ®F 2 )[P := G]je [P 1 ®P 2 ](e[P := [G]e]) 

holds, but the converse implication does not hold because the value [G]e of the 
relation P might be split on the right-hand side. 

It is therefore interesting to divide predicates into splittable and non-splittable 
predicates, and have spatial conjunction split only the interpretations of split- 
table predicates. The substitution lemma then holds when P is a non-splittable 
predicate. 

Note, however, that in the presence of non-splittable predicates we cannot 
translate counting stars into spatial notation and thus use unnested form to 
eliminate all spatial conjunctions from first-order formulas. As a result, adding 
spatial conjunction of formulas of large quantifier depth to two-variable logic 
with counting may increase the expressive power of the resulting logic. 

We also remark that if the language contains only one splittable unary predi- 
cate As, then it is easy to simulate the splitting of objects of the universe, which 
is the semantics of spatial conjunction in [28]. Namely, we use some fixed unary 
predicate A to denote all "live" objects, and make all quantifiers range only 
over the objects that satisfy A . 

8.2 Representing © in Second-Order Logic 

In this section we give a simple translation from the first-order logic with spatial 
conjunction and inductive definitions [27, Chapter 4] to second-order logic. This 
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gives an upper bound on the expressive power of first-order logic with spatial 
conjunction and inductive definitions. 

Consider first-order logic extended with the spatial conjunction © and the 
least-fixpoint operator. The syntax of the least-fixpoint operator is 

(lfpP,a;i, . . .,x n .F)(y 1 , ...,y n ) 

where F is a formula that may contain new free variables P,xi, . . . ,x n . The 
meaning of the least-fixpoint operator is that the relation which is the least 
fixpoint of the monotonic transformation on predicates 

(Axi, . . . ,x n .P(x!, . . .,x n )) i * (Axi, . . .,x n .F) 

holds for 2/1, ... , y n . To ensure the monotonicity of the transformation on pred- 
icates, we require that P occurs only positively in F. 

A = {Ai , • • ■ , A n } 

F = • • • j fm} 

\F' ®F"\ = 3 A' u ..., A' n ,f f' m , 

A", . . . , A'n, /", fm- B\F'®F"\ 

B\F' © F"j = 

n m 

A (split! Ai K K) A A (split a U fi f") a 

[F']L4* := AQUVi ==/i]£i A 

[F"\[Ai := AfiUVi ■■= flV=i 

spW^AA' A" sVi. (^(x) (A'(i)vA"(i))) A 

n(i'(l)Ai"(l)) 

split,./ /'/" (/(*,»)«» (/'(*,») V /"(*,!/))) A 

-i{f'(x,y)Af"{x,y)) 

[(Ifp-P,aji, . . .,x n .F)(y 1 ,.. .,y n )j = 
VP. (Van, . ..,x n .(F& P{X1, Xn))) . . . , y n ) 

Fig. 8. Translation of Spatial Conjunction and Inductive Definitions into Second-Order 
Logic 

Figure 8 presents the translation from first-order logic extended with spatial 
conjunction and least-fixpoint operator to second-order logic. The translation 
directly mimics the semantics of © and Ifp. 

In second-order logic, the relations in L = A U F become free variables. 
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To translate ©, use second-order quantification to assert the existence of 
new unary and binary relations that partition the relations in L into relations 
in L' and L". Then perform a syntactic replacement of relations in L with the 
corresponding relations in V for the first formula, and with the corresponding 
relations in L" for the second formula. 

Translating Ifp is also straightforward. The property that P is a fixpoint of 
F is easily expressible. To encode that yi, . . . , y n hold for the least fixpoint of F, 
we state that yi, ■ ■ ■ ,y n hold for all fixpoints of F, using universal second-order 
quantification over P. 

We also note that the translation of © in Figure 8 uses only existential 
second-order quantification, which points to another class of formulas where 
spatial conjunction can be eliminated if we are only concerned with satisfiability. 
Namely, if F' and F" are first-order formulas (without © or Ifp) , then F 1 © F" 
is satisfiable iff the first-order formula B\F' ®F' '] in the extended language is 
satisfiable. As a slight generalization, define the following class of "interesting" 
formulas: 

1. a first-order formula F is an interesting formula; 

2. if Fx and F 2 are interesting formulas, so is F\ ® F 2 ; 

3. if Fi and F 2 are interesting formulas, so is Fi V F 2 

The satisfiability of each interesting formula is equivalent to the satisfiability of 
the corresponding first-order formula in an extended vocabulary. In particular, 
the satisfiability of the class of formulas formed starting from formulas in two- 
variable logic with counting and applying only V and © is decidablc. 

9 Further Related Work 

Records have been studied in the context of functional and object-oriented pro- 
gramming languages [11,14,23,29,42,46-48,57]. The main difference between 
existing record notations and our system is that the interpretation of a record in 
our system is a predicate on an object, where an object is linked to other objects 
forming a graph, as opposed to being a type that denotes a value (with values 
typically representable as finite trees). Our view is appropriate for programming 
languages such as Java and ML that can manipulate structures using destruc- 
tive updates. Our generalizations allow the developers to express both incoming 
and outgoing references of objects, and allow the developers to express typestate 
changes. 

We have developed role logic to provide a foundation for role analysis [30-33] . 
We have subsequently studied a simplification of role analysis constraints and 
showed a characterization of such constraints using formulas [34,35]. Multifields 
and multislots arc present already in [32, Section 8.1]. In this section we have 
shown that role logic provides a unifying framework for all these constraints 
and goes beyond them in 1) being closed under the fundamental boolean logical 
operations, and, 2) being closed under spatial conjunction for an interesting class 
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of formulas. The view of roles as predicates is equivalent to the view of roles as 
sets and works well in the presence of data abstraction [39,40]. 

The parametric analysis based on there-valued logic was introduced in [53, 
54]. Other approaches to verifying shape invariants include [13,19-21,26,41]. A 
decidable logic for expressing connectivity properties of the heap was presented 
in [4]. We use spatial conjunction from separation logic that has been used for 
reasoning about the heap [7,8,28,51,52]. Description logics [1,6] share many 
of the properties of role logic and have been traditionally applied to knowledge 
bases. [9, 10] present doubly-exponential deterministic algorithms for reasoning 
about the satisfiability of expressive description logics over all structures and 
over finite structures. The decidability of two-variable logic with counting C 2 
was shown in [22], whereas [45] establishes the NEXPTIME-complexity of the 
satisfiability problem for the fragment Cf with counting up to one. 

10 Conclusions 

We have shown how to add notation for records to two-variable role logic while 
preserving its decidability. The resulting notation supports a generalization of 
traditional records with record specifications that are closed under all boolean 
operations as well as record concatenation, allow the description of typestate 
properties, support inverse records, and capture the distinction between open 
and closed records. We believe that such an expressive and decidable notation is 
useful as an annotation language used with program analyses and type systems. 

Acknowledgements. We thank the participants of the Dagstuhl Seminar 
03101 "Reasoning about Shape" for useful discussions on separation logic and 
shape analysis. 
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A Appendix: Correctness of Spatial Conjunction 
Elimination 

Proposition 8. Every quantifier-free formula F such that FV(F) C {x\, . . . , x n } 
is equivalent to a disjunction of CAT formulas C such that FV(C) = {xi, . . . ,x n }. 

Proof. Let F be a quantifier-free formula and FV(i* 1 ) C {x\, . . . , x n }. Transform 
F to disjunctive normal form F'. Let C be a conjunction in F'. If C contains 
a literal and its negation, then C is contradictory and we eliminate C from F'. 
Assume all conjunctions are non-contradictory, and let C be one conjunction. If 
there exists an atomic formula Fa in variables {xi, . . . ,x n } such that Fa £ C 
and (-'Fa) C, then replace C with the disjunction 

(C A F A ) V (C A -F A ) 

By repeating this process, we obtain a disjunction of CAT formulas. 

Lemma 9. Every CAT formula F is either contradictory, or is equivalent to an 
EQCAT formula F' such that FV(F') = FV(F). 

Proof. Let F be a CAT formula. If Xi ^ Xi occurs in F, then F is contradictory. 
If Xi = Xj occurs in F for i ^ j, then in all conjuncts other than Xi — Xj 
replace all occurrences of Xi with Xj . Repeat this process as long as it is possible. 
Suppose that the resulting formula was not established to be contradictory. Let 
yi,...,y m be variables that occur only on the left-hand side of some equality 
yj = . Removing all equalities of the form yj = yj yields an EQCAT formula. 

Proposition 10. Every quantifier-free formula F such that FV(F) C 
{xi, . . . , x„} can be written as a disjunction of EQCAT formulas C such that 
FV(C) = {x!,...,x n }. 

Proof. Let F be a quantifier- free formula such that FV^i* 1 ) C {xi, . . . , x n }. Using 
Proposition 8, transform F to disjunction of CAT formulas F\. Then, for each 
conjunct C of F\ apply Lemma 9 to transform C to an EQCAT formula. 

Proposition 12. Let F be a formula of such that F has quantifier depth 
at most one, F has counting degree at most k, and FV(i ;l ) C {xi,...,x n }. 
Then F is equivalent to a disjunction of fc-counting-star formulas Fq where 
FV(F C ) = {xi,...,x„}. 

Proof. Let F be a formula of such that F has quantifier depth at most one, F 
has counting degree at most k, and FV(F) C {x\, . . . , x n }. Then F is a boolean 
combination of 1) atomic formulas and 2) formulas of the form 3 s z. F' where F' 
is quantifier-free and FV(F') = {z,xi, . . . ,x n }. Because z is a bound variable, 
rename it to x in each formula F'. Let F\ be the result of transforming this 
boolean combination to disjunctive normal form. Consider a disjunct C of F\. 
As in the proof of Proposition 10, and treating quantified formulas as atomic 
syntactic entities, transform C into disjunction of formulas of the form 

m 

f\ yj = Wij A F A f\ (3^x.FT {F,) 

3 = 1 F'eS 
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where 0(F') e C k+1 , a(F') E {0, 1} for F 1 e S, and where A™ i Vj = A F 
is an EQCAT formula with y\ , . . . , y m , w\ , . . . , w p distinct variables such that 
{yi, . . . ,y m ,wi, . . . ,w p } = {xi, . . .,£„}, and FV(F' ) C {x,xx, . . . ,x n } for F' e 
S. Here S is the set of formulas of the form 3^( F >x. F' that end up conjoined 
with the EQCAT formula as the result of transformation to normal form. By 
replacing each yj with Wi j in each F', enforce that FV(F') C {x,w\, . . . ,w p }. 
Using Proposition 10, transform each F' to a disjunction of EQCAT formulas. 
By applying the equivalences 

V K^x.Bi 

i i=l 

3 = 1 

V K^x.Bi 

i i=l 

3 = 1 

for B\,.. .,B q mutually exclusive, and propagating the disjunction to the top 
level, ensure that every F' is an EQCAT formula. Then transform each term 
(=]/3( F )x.F') a ( F ) into positive boolean combination of formulas of one of the 
forms 3 =l x. F' for < i < k and 3- k+1 x. F', using the properties 

fei-i 
- V 3 =l x.F' 

i=0 

V 3 =l x.F' V3^ k+1 x.F' 

»€{0,...,fe}\{fei} 

Next ensure that each F 1 is not merely an EQCAT, but in fact a GCCAT such 
that F' e exts(F,x), as follows. 

Suppose that F' contains a literal L\ complementary to some literal occurring 
in GCCAT formula F. If L\ occurs in 3 =i x. F' for i > or in 3- k+1 x. F', then 
the entire conjunct is contradictory and we eliminate it. If L\ occurs in 3 =0 x. F', 
then 3 =0 x. F 1 is implied by F, so eliminate it. Assume that F' has no literals 
complementary to literals in F. Then F' contains Wi ^ Wj for all i ^ j. Next 
ensure that x ^ Wi is a conjunct for 1 < i < p, as follows. Suppose that F' 
contains the conjunct x = Wi for some 1 < i < p. 

There is clearly at most one interpretation of x that is equal to interpretation 
of Wi, so if f3(F') e {2, 3, . . . , k, (k + 1) + } then F and F' are contradictory and 
the entire conjunction is False, so assume P(F') e {0, 1}. For the same reason, 
3 =1 x.F' is equivalent to 3x.F\ so if fi{F') = 1, then replace x with Wi in 
F' giving a GCCAT formula F" such that FV( J F") = FV(F). By definition of 
GCCAT formulas, either F and F" are equivalent, so F A (3x.F") ~ F, or F 
and F" are contradictory, and the entire conjunction is False. 

Assume therefore that x ^ Wi occurs in F' for all 1 < i < p. This means that 
F' is a GCCAT formula. Because FV(F') = {x,w\, . . . ,w p } and F 1 does not 
contain a literal complementary to a literal from F, eliminating from F' atomic 
formulas that occur in F yields an element of exts(F, x). 



3^x. V Bi 

i=l 



3= k ^x. V Bi 

i=l 



-n3^ kl x.F' 
-^3= kl x.F' 
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To ensure that there exists exactly one conjunct of the form 3 s x. F' for each 
F' G exts(F, x), use the fact that the k + 1 formulas 3 =% x. F', for < i < k, and 
3- k+1 x.F' form a partition (they are mutually exclusive and their disjunction 
is True). 

Lemma 13. If e is an environment for language L, C a counting star formula 
in language L, and m G {{1}, {2}, {1, 2}}, then [Cje = S m \C}e m . 

Proof. Formula E contains only equalities, so \E\e iff [-E]e m . It therefore suffices 
to show that 

{K,{Fl®Xml^ 1 x.F[\®...®X m {3 s "x.Fl : lle m = True (4) 

iff {Fje = True and for all i, \3^x.F[\e = True. 

=4-): Let (4) hold. Then there exist eo, ei, . . . , such that split e m [e ei . . . e^], 
[/C[F]]e = True, and [A^p^.i^']^ = True for 1 < % < k. 

We first show {Fje — True. Note first that [G_E]ei = True for 1 < i < k. 
Namely, because both d-^'Dm and d-F'Dm entail Ge, so does X m \3 8z x.F[\, by 
definition of <Y m [] and split. Therefore, eo is the only environment among 
eo, ei, . . . , e/c that may have non-empty relations between the elements inter- 
preting x\,...,x n . As a result, [F]e m = [F]eo. But [F]eo = True because 
[/C[F]]eo = True. Therefore [F]e m = True, and F contains no symbols from 
V \ L, so {Fje = True. 

We next show \3 Si x.F[\e = True for 1 < i < k. For Sj = p + , from 
[A'„ l [3 Si x.i ;l /]]ei = True we have that there exist ej ; o, e^i, . . . , ej ;P such that 
1) splite i [ei i o,e ii i,...,e ii p], 2) [d-F'D^Jej.o = True, and 3) [d-F'DmjK.j = True 
for 1 < j ' < p. Similarly, for Sj < p, we have that there exist e^i, . . . , ej jSi 
such that 1) splitej[e i; i, . . . ,e i)S4 ], and 2) [d-F'DmJejj = True for 1 < j < s t . 
Note that whenever [d-F"Dm] e j,j or [d-^"Dn»]e»,j holds, we can split elements of 
the domain D into two disjoint sets: elements Eij for which empEx0(F, x) 
holds, and elements N itj for which F 1 A Mark m (x) holds. If [d-F'DmJe^j ;, then 
\Nij\ — 1, by definition of [d-F'DmJei.j. Moreover, by definition of split and 
because m 7^ 0, we have Ni 1 j 1 n Ni 2 j 2 = for ^ {12,32)- Observe 

that, for a given domain element d G D, the atomic type extension correspond- 
ing to e m with x t— > d is the union of atomic type extensions corresponding 
to each dj. The atomic type extension for d in aj is either F' A Mark m (x), 
or empEx$(F, x). Therefore, the atomic type extension for d in e m is either 
F 1 A Mark m (x) if d G Ni j for some i,j, or empEx0(F,x) if for all i,j, d £ Ni j. 
If Ni = {d \ {Fl\e m [x ^ d\ = True}, then N, = 7V i;j . If s 4 = k < p then 
= EjLi = Eilj 1 = so P= fc x.^']e m = True. Because 3= fc x. F[ 

is formula in language L, we have [3 =fc x. F/]e = True. Similarly, if Sj = p + , 
then |ATi| = |AT i)0 | + Ej=i = 1-^,0 1 > P, so [3^ fc x.^']e m = True and 

therefore [3^x. F(je = True. In both cases, \3 Si x.F[\e = True. 

This completes one direction of the implication, we next show the converse 
direction. 

<=): Let {Fje = True and for all i where 1 < i < k, [3 s< a;..F/]e = True. 
We construct environments eo, ei, . . . , ejt such that 1) split e m [eo, ei, . . . , e/c] 2) 
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pC[F]]e = True, and 3) [^ m [3 S4 x.i^]]ei = True for all i where 1 < i < k. 
We construct e , e\, . . . , e^ by assigning the tuples of relations in e to one of 
the environments eo, ei, . . . , e^, as follows. We only need to decide on splitting 
the tuples (di, . . . , d q ) where all but one value di, . . . , d q are from the set Dx = 
{exi, . . . , ex n }, the values of relations on other tuples do not affect the truth 
value of formulas in question and can be split arbitrarily. If {di, . . . ,d q } C D x , 
then we assign the tuple to e , as a result, [/Cp^JJeo = True. If {di, . . . , d q }\D x = 
{d}, then let i be such that F[ is the unique extension of F with the property 
[F/]e[x d] = True. Then assign the tuple (di, . . . ,d q ) to the environment ei 
and also assign the values (eBi)d for all Z G m to ej. Because we assign each 
relevant tuple to exactly one e,, we ensure split e m [eo, e±, . . . , e^]. Let De = {d \ 
[F/]e[x i— > d] = True}, then also De = {d | [F/]ej[x i-> d] — True}. Because 
[3 Si x.F/]e = True, \De\ — Si for Si < p and \De\ > p for Si = p + . Let Si < p. 
Then split into e^i, . . . , ei. Si by assigning exactly one element d £ to one 
eij. When assigning an element we assign the values of all relations from L, as 
well as the relations B\ and B 2 - This ensures that [d-F/Dmlejj = True for all 
1 < i < Si. For Si = p + , we split into e^o, e^i, . . . , e iiP by assigning exactly 
one element to each of e^i, . . . , e ijP and assigning the remaining elements to 6^o- 
In both cases, we obtain [A^p^x.-F/JJej = True. 

Lemma 15. If G\ ^> G2, then G2 => G\ is valid. 

Proof. We show the claim for each of the rules (l)-(6). 

Rule (1): Let 7\ T 2 be defined and let [flTi ©T 2 Di, 2 ]e = True for an V- 
environment e. Let d E D be the unique domain element such that [Ti0T 2 ]e[x 
d] = True. Let ei and e 2 be such that splite [ei, e 2 ], [Ti]ei[x ^ d] = True and 
[T 2 ]e 2 [x i-> d] = True, and e v B q d = True iff p = q for p, g G {1,2}. In other 
words, ei and e 2 split e by assigning tuples validating T\ to ei, tuples validating 
T 2 to e 2 , and by assigning _Bi to e\ and i? 2 to e 2 on the clement d. The values 
of relations e r containing tuples with an element d' £ {exi, . . . , ex n , d} are all 
False, because {(\Ti T 2 |) li2 ]e = True, so we let the values of e^r and e 2 r for those 
tuples also be empty. Then d is the only element outside {exi, . . . , ex„} such that 
Pil e i[x > d] = True, and d is also the only element outside {exi, . . . , ex„} such 
that [T 2 ]e 2 [x ^ d] = True. As a result, [flTiDi]ei = True and [dT 2 D 2 ]e 2 = True, 
so [flTiDi ®<\T 2 hje = True. 

To show the claim for rules (2), (3), (4), we proceed similarly as for rule (1). 

Rule (2): Let T x T 2 be defined and let \\T X T 2 |) lj2 ®(|T 2 D^]e = True. 
Then there are e' and e" such that splite [e\ e"], [(|Ti 0T 2 |i, 2 ]e' = True and 
Id^a^He" = True. Let d be the unique element such that pi T 2 ]e'[x ^ 
d] = True, and let di,...,dfc be the list of all (distinct) elements such that 
[dT 2 () 2 ]e"[x 1 y di] = True. Note that d ^ {di, . . . , dfe}, because e'B 2 d = True, 
e"Bidi = True for all 1 < i < k, and splite [e', e"]. We construct ei and e 2 such 
that splite [ei, e 2 ] as follows. We assign B\, as well as the values of relations that 
hold according to T\ on element d to ei, and we assign £> 2 , as well as the values 
of relations that hold according to T 2 on element d to e 2 . We assign B 2 as well as 
the values of relations that hold according to T 2 on di , . . . , dfe to e 2 . The values 
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of B\ and the relations on di,...,dk for e\ are empty. For such e\ and e2 we 
have [OTiPiJei = True and \<\T 2 f 2 \e 2 = True, so [flTi|)i ®<\T 2 \,* 2 je = True. 
Rule (3) is analogous to rule (2). 

Rule (4): Let T 1 QT 2 be defined and let [flTiDJ ®<\T 2 \)* ©flTi T 2 \j\ 2 ] = True. 
Then there are e',e",e"' such that split e [e', e", e'"], [(]Ti^]e' = True, p^Je" = 
True, and [flTi T 2 D* )2 ]e'" = True. Then there are three sets of elements N', N", 
N'", where N' contains elements that validate T\ in e', N" contains elements 
that validate T 2 in e", and N'" contains elements that validate Ti T 2 in e!" . 
We have N' n AT'" = and TV" n N'" = 0, whereas N' n AT" need not be 
empty. Each element d ^ {exi, . . . , ex„} validates in e either 1) empEx0(i< 1 , x), if 
d ^ 7V'UiV"U7V'", or 2) Ti, if d e JV'\JV", or 3) T 2 , if d G iV"\7V', or 4) Xi0T 2 , 
if d £ (AT' fl AT") U AT'". We construct environments ei,e2,e3 by assigning B\ and 
relations from T\ to elements in AT' \ A^" to e\, assigning B 2 and elements in 
N' \ N" to e 2 , and splitting relations on elements in (N' nJV")U AT"' into those 
for Ti, which we assign to ei, and those for T 2 , which we assign to e 2 . We then 
have [fTi^Jei - True and [flT 2 ^]e 2 = True, so [flT^ ®<\T 2 \,* 2 j = True. 

Rules (5), (6): Directly from the definitions of empe and d-F'Dm it follows that 
empe fl-F'Dm- 

Lemma 17. (Vtc(Ci c 2 c 3 ) ^ ©C2) is a valid formula for every pair of 
counting star formulas Ci and C 2 . 

Proof. Let [Vtc(Ci c 2 c 3 ) ^3] e hold f° r some L-environment e. Then [C 3 ]e = 

True for some C3 such that <Si[Ci] © £2^2] =4><S li2 [[C'3]. By Lemma 16, 
5i, 2 [C 3 ] 5i[Ci] ©5 2 [C 2 ] is valid. By Lemma 13 and [C 3 ]e = True, we have 
I^^ICalle 1 ' 2 = True. Therefore, [<Si[Ci] ® S 2 [C , 2 ]]e 1 > 2 = True. This means 
that there are e\ and e 2 such that split e 1 ' 2 [ei, e 2 ], [<Si[Ci]]ei = True, and 
[52[C2]]e 2 = True. From Lemma 13 we have JCiJeT = True, and [C2]e2 = True. 
From split e 1,2 [ei,e 2 ] it follows that split e [eT,^], so [d ©C 2 ]e = True. 

Lemma 18. C\ © C 2 => VrcfCi c 2 c 3 ) ^3 ^ s a van d formula for every pair of 
counting star formulas C\ and C 2 . 

Proof. Let [Ci © C 2 ]e = True for some L-environmcnt e. Then there are e\ and 
e 2 such that splite [ei, e 2 ], [Cijei = True and [C 2 ]e 2 = True. By Lemma 13, 
5i[Ci]eJ = True and ^[^Jel = True. We construct iSi^ICy such that 

Si[Ci] ®S 2 \C 2 \ =£>«S 1;2 [C 3 ] and [C 3 ]e = True, as follows. 

Let A"i be the GCCAT part of Ci and let K 2 be the GCCAT part of C 2 . Let 
= D\{e xi, . . . , e x n }. For each d e D^, let be the type extension induced 
by d in ei, that is, let Tf e exts(K\,x) be the formula such that [T^]e}[x ^ d] = 
True. Similarly, let T 2 G exts(AT 2 ,2;) be the formula such that [T^Je^x *—> d] = 
True. Because splite [ei, e 2 ], the operation Xi0T 2 is defined and [Ti0T 2 ]e 1,2 [a; 
d] = True. Because <Si[Ci]e} = True, with each d we can associate an occurrence 
jiti(d) in iSiJCi] of a formula -^(d) where F^/^ is of the form (jT-fDi or of the 
form flTfDf, and an environment e liAll(d) such that splite} [ei, , (ei,^))^)], 
such that /C[ATi]ei :0 = True, and such that for every d, ^/^(dA^i^id) = True. 
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Analogously, for each d we can associate an occurrence 112(d) in £2^2] 01 a 
formula F^ 2 ^ of the form (P2D2 or °f the form d^D^i an d an environment 
e 2, M2 (d) such that split e| [e 2 ,o, (e 2 ,^ 2 (d)) ([l2 (d)], such that /CpL 2 ]e 2 ,o = True, and 
such that for every d, [-F 1 AI2 (d)]e 2 , At2 (d) = True. 

We compute C 3 by first combining /Cpfi] and /C[if 2 ] into /C[A"i © if 2 ]- 
From split e [ei, 62] we conclude that the operation F\ © F2 is well-defined and 
that [/C[Fi © i*2]]e ' = True where e,y 2 is given by split ejy 2 [e^ , e 2 ,o]- 

We next apply rules (l)-(4) in Figure 7, as follows: 

1. apply rule (1) once to each pair of occurrences fii(d) and (12(d) if they are 
of the form <\Tf\)i and flT^, respectively; let (i(d) be the occurrence of the 
resulting formula F^ d) = f\T? T 2 ^ li2 ; ' 

2. apply rule (2) once to each pair of occurrences (11(d) and (12(d) if (ii(d) is an 
occurrence of the form <\T± Di and /tt 2 (rf) is an occurrence of the form dT^D^i 
let 11(d) be the occurrence of the formula F^r d \ = <\Tf T^i^ obtained as 
one of the results; 

3. apply rule (3) once to each pair of occurrences (i\(d) and (12(d) if (ii(d) is an 
occurrence of the form (\Tf\)l and (12(d) is an occurrence of the form dTj |) 2 ; 
let (i(d) be the occurrence of the formula F^r d \ = (\T^ T^Dm obtained as 
one of the results; 

4. apply rule (4) once for each pair of occurrences of formulas of the form (\T^\ 
and (|T 2 D 2 ; f° r cacn ^ sucn tna * ^(d) * s an occurrence of <\Tf\)i and Ai 2 (<i) is 
an occurrence of (T^)^ l°t A*(^) be the occurrence of the resulting formula 

Note that no rule is applied twice to a distinct pair of occurrences of formulas. 
This means that the number of applications of rules is uniformly bounded, de- 
spite the fact that there is no bound on the size of the model e. In particular, 
there is no bound on the number of elements d covered by a single application 
of rule (4). Each formula of the form <\T\)i is F^r^ for some d and each formula 
of the form (\T\)2 is -F)i 2 (d) f° r some d, and all such formulas are consumed by 
applications of rules (l)-(3), so the resulting formula has no subformulas of the 
form (\T\)i or <\T\) 2 - After applying rules (l)-(4), apply rules (5) and (6) to all 
applicable formulas. The resulting formula Fr has no occurrences of (\T)\ or 
(\T\)2 either, it contains only occurrences of formulas of forms (\T\)i^ and (\T\)l 2 . 
For each of the finitely many occurrences (i(d) in Fr we construct e*'^, 

splitting e 1 ' 2 into the environment e\' 2 defined above, and the environments 
e lt(d)' by assigning the type extension of d in e 1,2 to e~J? d y By construction, 
split e 1 ' 2 [e ' 2 , ( e p( d )) n(d)\- To show [Ffje 1 ' 2 = True, it suffices to show 

[F c ]e^ 2 = True (5) 

for every occurrence c = (i(do). Fix an occurrence c, and let 5 = {d \ (i(d) = c}. 
By definition of ej' 2 , the type extension induced by each d £ S in ej' 2 is TfoT^, 
and the type extension of each d G Dx \ S is an empty extension. Therefore, 
UT? (DT^l Jel' 2 = True. If F c = <\T? T 2 d ^ 2 then the equation (5) already 
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holds. If F c = <\T? T|Di :2 , then F c was generated by one of the rules (l)-(3), 
which means that 6 is a singleton set. Namely, if F c was generated by rules (1) or 
(2), then there is exactly one d such that /J,i(d) = c, namely do, and similarly if F c 
was generated by rule (3), then there is exactly one d such that /U 2 (d) — c, again 
do. In both cases, S — {do}, so do is the unique d with type extension Tf T% , 
which means that [<\Tf T% Di^Je^ 2 = True and the equation (5) holds. 

We finally apply idempotence to ensure that no §T\* m occurs more than 
once. The resulting formula F' R is equivalent to Fr, so [i^Je 1 ' 2 = True, F' R 

is of the form 5i i2 [C 3 ], and 5i[Ci] ® <S 2 [C 2 ] =^5i ;2 [C 3 ]. From 5i, 2 IC 3 ] we 
recover C3 using the inverse of the translation in Figure 6. By Lemma 13 we 
have [Csje — True, completing the proof. 
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